Learning Cyber Threat Intelligence Knowledge Graph Embedding with Heterogeneous Relation Networks Based on Multi-Head Relational Graph Attention

Abstract

Cyber threat intelligence (CTI) Knowledge Graphs Embedding (KGE) complete the tasks such as KG complementation by retaining the structural information of the graph and mining the implicit relations between entities, which can help security organizations analyze potential threat information and improve the cybersecurity protection capabilities. However, learning graph data in CTI is challenging for the data sparsity and their heterogeneity, it is critical to consider how to deal with complex graph data and aggregate multiple types of semantic information simultaneously. To solve the heterogeneity of KGEs in CTI, we propose a heterogeneous Cyber Threat Intelligence GNNs model Relational-Multi-Head-Graph-Attention-Networks (R-MGAT). Specifically, the importance of different relations is firstly learned through a multi-head attention mechanism. Then the neighbor features of different entities are learned under each relation. Finally, the weight entities and the relation-based feature are aggregated to generate the embedding representation. In this way, our model could capture various types of semantic information and selectively aggregate informative features. What's more, we manually constructed a CTI KG by annotating APT reports in response to the lack of public datasets in CTI fields. We use entity classification and link prediction to verify our R-MGAT model. A series of benchmark experiments illustrate that RMGAT can generate competitive performance in KGE.